Skip to main content

Choosing the Right Information Security Metrics: How Visual Management and Gemba Boards Drive Continuous Improvement


In information security, it’s easy to collect data—mean time to detect, vulnerabilities closed, incident counts, patch compliance, control coverage—the list can feel endless. Yet too often, those numbers wind up in static dashboards or slides that are reviewed quarterly, rarely influencing daily decisions. The real power of metrics isn’t in reporting what already happened—it’s in enabling teams to see and act on what’s happening now, and to improve the security program continuously.


This is where visual management and Gemba boards become indispensable.


Visual Management: More Than Just Data on a Screen


Visual management is a Lean concept that brings key information into the day-to-day workspace so that teams can understand performance at a glance. Good visual management:

Makes metrics visible and understandable

Encourages real-time conversations

Highlights trends and issues before they become incidents

Connects daily actions to outcomes


For security teams, visual management shifts metrics from a passive report to an active, living part of the team’s workflow.


Gemba Boards: The Heart of Continuous Improvement


As detailed in our post on Gemba boards, a board is a physical or digital display located where the team works (aka the “Gemba,” or the place where work happens). Rather than being shaped for executives, a Gemba board is designed for the practitioners who are closing vulnerabilities, responding to incidents, and reducing risk.  


A well-designed Gemba board answers key questions in seconds:

Are detection and response times improving?

Is vulnerability backlog shrinking or growing?

Where are the bottlenecks?

What experiments or improvements are we currently trying?


This daily visibility turns abstract security work into a shared, observable system, enabling teams to stand up, discuss what’s there, and make course corrections.


Selecting the Right Metrics: Focused, Contextual, Actionable


Not all metrics are created equal. Choosing the right metrics requires discipline and alignment with both security objectives and organizational context.


Here’s how to approach this:


1. Start with Business Outcomes


Metrics must tie back to measurable outcomes that matter to the organization. Simply tracking numbers—like total vulnerabilities—without context contributes noise, not insight. Align metrics with risk reduction, resilience, or business continuity outcomes so that both technical teams and business stakeholders see value.  


2. Prioritize Quality Over Quantity


It’s better to track a small number of well-chosen metrics than dozens of vanity indicators. Metrics should be meaningful, discrete, and manageable. Avoid metrics simply because they’re easy to capture.  


3. Incorporate Both Operational and Outcome Metrics


A healthy Gemba board will include:

Flow and operational metrics: backlog size and aging, throughput, cycle times

Outcome metrics: mean time to detect/respond, vulnerability risk reduction, control effectiveness

Quality signals: reopened tickets, false positives

Improvement experiments: what’s being tested this week and initial results


These categories help balance day-to-day execution with long-term impact.


4. Contextualize and Trend


Metrics without context can be misleading. Place measurements in time, set clear targets or baselines, and show trends. Trends—not single data points—tell whether efforts are moving the program forward.  


5. Embed Continuous Review


As threats and business priorities shift, your metrics should evolve too. Regularly review which indicators are helping the team improve and which are not. Metrics should not be static; they should adapt as your security program matures.  


How Gemba Boards Reinforce Continuous Improvement


Once the right metrics are chosen, a Gemba board makes them actionable:

Teams build ownership of metrics because they see them every day.  

Discussions move from “What happened?” to “What should we do next?”—the essence of improvement.

Problems and bottlenecks become visible early, before they escalate.

Small wins are seen and acknowledged, boosting team morale.


This combination of visual management + the right metrics creates a feedback loop essential to continuous improvement. Metrics become a tool for learning and change, not a monthly reporting chore.


Final Thought: Metrics That Drive Behavior


Good security metrics should answer this simple question: Are we more secure today than we were yesterday? If the answer isn’t clear from your metrics—or if your team doesn’t reference them daily—it’s time to rethink what you’re tracking.


Visual management with a Gemba board ensures metrics are not just collected but used. When teams can see performance, discuss it, and act on it, continuous improvement becomes part of the culture, not a quarterly aspiration.

Labels:

Comments

Post a Comment

Popular posts from this blog

Asset Management - Physical Devices - What do you have? Do you know?

Asset management and inventorying your physical systems, we all know we should do it, and I am sure most try.  I am not going to talk about the should have, would have or could have. Instead, I am going to focus on the risks associated with the NIST CSF control ID-AM.1.   The control simply states, “Physical devices and systems within the organization are inventoried.”  At the simplest level, this control is saying that the organization inventories all physical systems that are apart of the information system. In my opinion, the control is foundational because how can you secure something if you don't know it exists.  If you are not inventorying your systems, how do you know if they have adequate controls to protect the data and network.   If you had a breach of data, would you know what type of data was involved, or would you even know if you had a breach?  To further extend this, how can you perform a risk assessment on the system to understand and relay ...
Post a Comment
Read more

Vulnerability Management… It’s easy - Planning

I am sure you have had either consultants, vendors, or heard at a conference that vulnerability management is foundational security control.  While I agree that it is an essential control, I also understand that it is challenging to implement.  Vulnerability management is not just to pick a tool, scan, and fix issues.  Many components make it a complicated journey.  This series will attempt to help break it down and give you ideas on how this complex service and be delivered effectively.    Planning   Objective When you start, I recommend creating a targeted objective and set of measures against your objective.   Ensure that you keep in mind your organization’s culture, politics, and risk appetite as you are developing your objective.   I have seen some target just “critical” systems for regulatory compliance, whereas others have targeted their entire enterprise.   No matter your scope, keep in mind your team’s current resource...
Post a Comment
Read more

The Detect Function in NIST CSF 2.0: The Risk of Seeing Too Late—or Too Much

In NIST Cybersecurity Framework 2.0 (CSF 2.0) , the Detect function represents the organization’s ability to identify the occurrence of a cybersecurity event in a timely and reliable manner . While Protect focuses on reducing the likelihood of compromise, Detect determines how quickly and how accurately an organization recognizes that something has gone wrong. For CISOs and security leaders, detection is where many programs quietly fail. Not due to a lack of tools, but due to poor signal quality, unclear objectives, and misalignment with business impact. Detection that is late, noisy, or misunderstood can be as damaging as no detection at all. Official NIST CSF 2.0 guidance is available here: https://www.nist.gov/publications/nist-cybersecurity-framework-csf-20 What the Detect Function Is (and What It Enables) Under CSF 2.0, the Detect (DE) function focuses on outcomes related to: Continuous monitoring Anomalies and event detection Security logging and analysis Threat intelligence ...
Post a Comment
Read more